We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

ძიება მხარდაჭერაში

ნუ გაებმებით თაღლითების მახეში მხარდაჭერის საიტზე. აქ არასდროს მოგთხოვენ სატელეფონო ნომერზე დარეკვას, შეტყობინების გამოგზავნას ან პირადი მონაცემების გაზიარებას. გთხოვთ, გვაცნობოთ რამე საეჭვოს შემჩნევისას „დარღვევაზე მოხსენების“ მეშვეობით.

ვრცლად

DNS-to-HTTPS is causing the REMOTE_ADDR server variable to be incorrect

  • 2 პასუხი
  • 1 მომხმარებელი წააწყდა მსგავს სიძნელეს
  • 1 ნახვა
  • ბოლოს გამოეხმაურა jscher2000 - Support Volunteer

I am a software developer for a Human Resource Information System (HRIS) called EnterpriseAxis. My HRIS software checks the IP address of each user to determine whether or not the user is on the company's LAN or VPN. However, there is a bug in Firefox that prevents this security feature from working.

The bug is in DNS-to-HTTPS. When this feature is enabled in Firefox, it changes the value of the REMOTE_ADDR server variable. Normally, when a VPN tunnel is active, REMOTE_ADDR contains the workstation's IP address, such as 192.168.11.6. However, when DNS-to-HTTPS is enabled, REMOTE_ADDR contains the router's WAN IP address, such as 96.91.16.207.

Please correct the issue.

I am a software developer for a Human Resource Information System (HRIS) called EnterpriseAxis. My HRIS software checks the IP address of each user to determine whether or not the user is on the company's LAN or VPN. However, there is a bug in Firefox that prevents this security feature from working. The bug is in DNS-to-HTTPS. When this feature is enabled in Firefox, it changes the value of the REMOTE_ADDR server variable. Normally, when a VPN tunnel is active, REMOTE_ADDR contains the workstation's IP address, such as 192.168.11.6. However, when DNS-to-HTTPS is enabled, REMOTE_ADDR contains the router's WAN IP address, such as 96.91.16.207. Please correct the issue.

გადაწყვეტა შერჩეულია

I assume the HRIS server is on the LAN.

Firefox doesn't determine the IP address through which it accesses a web server. Your scenario suggests that the request is routing out through the firewall onto the public internet instead of staying within the LAN.

DNS-over-HTTPS (DoH) requests the HRIS server address from Cloudflare (or another provider) on the public internet. If the query fails, then Firefox should fall back to the local system for DNS. It sounds as though the customer may have public DNS configured for the hostname used by HRIS, in which case Firefox will obtain that public address and never learn the internal address.

If it is necessary to have an external DNS entry for this internal server, and the router cannot intercept the outbound Firefox request and keep it inside the LAN, I think your customers will need to manage their users' Firefox installations either by blocking DoH or by setting a hostname exception.

See:

https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs#w_how-does-firefox-handle-split-horizon-dns

To block DoH:

To exclude specific hostnames:

პასუხის ნახვა სრულად 👍 0

ყველა პასუხი (2)

HI John Bunch:

Please file a bug in bugzilla for this:

https://bugzilla.mozilla.org/enter_bug.cgi

Cheers!

..Roland

შერჩეული გადაწყვეტა

I assume the HRIS server is on the LAN.

Firefox doesn't determine the IP address through which it accesses a web server. Your scenario suggests that the request is routing out through the firewall onto the public internet instead of staying within the LAN.

DNS-over-HTTPS (DoH) requests the HRIS server address from Cloudflare (or another provider) on the public internet. If the query fails, then Firefox should fall back to the local system for DNS. It sounds as though the customer may have public DNS configured for the hostname used by HRIS, in which case Firefox will obtain that public address and never learn the internal address.

If it is necessary to have an external DNS entry for this internal server, and the router cannot intercept the outbound Firefox request and keep it inside the LAN, I think your customers will need to manage their users' Firefox installations either by blocking DoH or by setting a hostname exception.

See:

https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs#w_how-does-firefox-handle-split-horizon-dns

To block DoH:

To exclude specific hostnames: